如何对 Autoit 字符串进行反混淆?

逆向工程 去混淆
2021-06-19 12:02:17

代码是:

https://pastebin.com/ZwvySjgy

是否可以对受保护的字符串进行反混淆处理STRINGDEC

2个回答

该函数STRINGDEC不是内置的 autoit 函数。它由程序员实现以创建某种替代密码。

您可以在脚本底部看到该函数的源代码:

FUNC STRINGDEC($STRING,$PARAM)
$STRING=STRINGTOASCIIARRAY($STRING)
$PARAM=STRINGSPLIT($PARAM,",",2)
$COUNT=0
$RETURN=""
FOR $I=0 TO UBOUND($PARAM)-1
$CHAR=$PARAM[$I]
$COMPARE=$STRING[$COUNT]
$RETURN&=CHRW($CHAR+$COMPARE)
IF $COUNT=UBOUND($STRING)-1 THEN
$COUNT=0
ELSE
$COUNT=$COUNT+1
ENDIF
NEXT
RETURN $RETURN
ENDFUNC

你可以很容易地自己在python中实现它,这是此类任务的通用语言:

def stringdec (encoded_string, shifts):
    shift_array = shifts.split(',')
    count = 0
    decoded_string = ""
    for i in range(len(shift_array)):
        key = shift_array[i]
        encoded_char = encoded_string[count]
        decoded_string +=  chr(ord(encoded_char)+int(key))
        if count == len(encoded_string)-1:
            count = 0
        else:
            count +=1
    return decoded_string

现在只需执行函数来显示解密的字符串:

>>> stringdec("cafcpiykeudtenowwkcwacdibognfe","0,7,-5,15,-80,-28,-24,-4,4,-18,-9,-66,-8,-51")
'char Magic[2];'

>>> stringdec("ubkwizcimjccdlngsyozqnmibctpmy","2,13,7,-19,-73,-56,22,11,-8,9,-20,11,-24,-11,5,13,-35,-24,-8,-21,-54")
'word BytesOnLastPage;'

>>> stringdec("jkmnqgfdegisgbolkjuviexnjchhmj","13,4,5,-10,-81,-23,-5,3,0,12,-46")
'word Pages;'

>>> stringdec("juwfbhmxssmocpwtpbcobugkqfdcsx","13,-6,-5,-2,-66,-22,-8,-12,-4,-16,-12,5,6,-1,-9,-1,-53")
'word Relocations;'

检查此 pastebin 页面获取解密字符串完整列表

您需要重新实现以下功能:

FUNC STRINGDEC($STRING,$PARAM)
$STRING=STRINGTOASCIIARRAY($STRING)
$PARAM=STRINGSPLIT($PARAM,",",2)
$COUNT=0
$RETURN=""
FOR $I=0 TO UBOUND($PARAM)-1
$CHAR=$PARAM[$I]
$COMPARE=$STRING[$COUNT]
$RETURN&=CHRW($CHAR+$COMPARE)
IF $COUNT=UBOUND($STRING)-1 THEN
$COUNT=0
ELSE
$COUNT=$COUNT+1
ENDIF
NEXT
RETURN $RETURN
ENDFUNC

此函数位于 pastebin 脚本的末尾。

基于从您的 pastebin 中获取的一些示例,如果我在 Python 中没有弄错的话,它应该看起来像

def STRINGDEC(thestring, thekey):
    res = ""
    thekey = thekey.replace(" ", "")
    splittedkey = thekey.split(",")
    string_length = len(thestring)
    for i in range(len(splittedkey)):
        res += chr(ord(thestring[i]) + int(splittedkey[i]))
    return res
print STRINGDEC("retwkmufmhmqqqdufngfgdcsnpuhur"," 5 ,10,-2,-19,-75,-32,-20,-3,-5,1,1,-12,-54")
print STRINGDEC("jkyhbzkqgtbnrbyvhdlfukgrzrptzq"," 13,4 ,-7,-4 ,-66,-44,10,-4,-5,-15,16,-31,-12,-15,-20,-19,12,5,3,8,-2,-48")
print STRINGDEC("fgdaygtgtzkeiogftjplkmhulfitfm"," -2 ,16,11,17,-21,-71,-32,2,-7,-21,-39,-4,11,-10,-20,14,-19,3,0,-49")
print STRINGDEC("zopsbydhesjliykcpzsrvtfauhflxz"," -22,8,-1,-1,2,-89,-20,7,4,-5,10,-7,9,-37,4,-16,9,-13,-17,-3,-10,-32,-5,1,-9,-3,-43")
print STRINGDEC("flefcfumutnglnuaesxlfacuwsbvwu"," -2 ,11,10,12,1,-70,-39,8,-8,-18,-9,11,-29,-8,-34,24,8,-17,-9,0,13,-38")
print STRINGDEC("sirkouutovjrulplwkbwilyyfdsrvn"," 4  ,6,0,-7,-79,-34,-12,6,-10,-39,-4,-35,-5,8,-7,3,-9,-10,10,-47,-4,-11,-21,-20,12,-41")

它给出了以下结果:

word Machine;
word NumberOfSections;
dword TimeDateStamp;
dword PointerToSymbolTable;
dword NumberOfSymbols;
word SizeOfOptionalHeader;

搜索反混淆功能总是有帮助的,有时该功能很容易找到。

其它你可能感兴趣的问题
上一篇重构c代码:movsx带测试指令 下一篇查找游戏的玩家动画功能